>>Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?<<
AFAIK disabling auditing, as well as deleting any audit entry, generates
an event: whoever does it will have to explain why.
Marco
www.neovalens.com
-----Original Message-----
From: Michael Cox [mailto:mscox42 (at) yahoo (dot) com [email concealed]]
Sent: Friday, January 30, 2004 8:56 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Controlling Admin Access
I'd like to solicit the group's input on the following.
Domain administrators, by definition, are going to have complete access
to member computers.
Is anyone doing anything to mitigate the potential risks involved with
access to, say, an executive's computer which could have very sensitive
data on it (mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what is available in
the Windows world as I'm not as familiar with that.
Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?
Please answer both 1) what is possible, and 2) what is your organization
or other organizations you know of doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
>>Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?<<
AFAIK disabling auditing, as well as deleting any audit entry, generates
an event: whoever does it will have to explain why.
Marco
www.neovalens.com
-----Original Message-----
From: Michael Cox [mailto:mscox42 (at) yahoo (dot) com [email concealed]]
Sent: Friday, January 30, 2004 8:56 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: Controlling Admin Access
I'd like to solicit the group's input on the following.
Domain administrators, by definition, are going to have complete access
to member computers.
Is anyone doing anything to mitigate the potential risks involved with
access to, say, an executive's computer which could have very sensitive
data on it (mergers and acquisitions, for example)?
One obvious answer is encryption, but I'm curious what is available in
the Windows world as I'm not as familiar with that.
Even if something like object level auditing was enabled and the logs
sent to a remote host, couldn't the admin, as a first step, disable this
logging?
Please answer both 1) what is possible, and 2) what is your organization
or other organizations you know of doing about this (if anything).
Many thanks in advance!
Michael
__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]